SYN flooding

[Geoff Shang]

On Wed, 11 May 2011, Shachar Shemesh wrote:

> This might not be SYN attack at all. This might be just packets arriving too 
> fast to be handled. Could it be that during those times that the "attack" is 
> arriving on something particularly interesting is on, and the number of 
> listeners spikes up, and overflows the VPS's capacity?

No.  First, we have a 5mbps/5mbps pipe and it was nowhere near capacity at 
the time this happened.  Later we set up a work-around where we streamed 
to the US and relayed the stream back to Paris, and the listener numbers 
were higher still with no problems.

A 5mbps pipe should be able to handle 30+ listeners at 128kbps.  I had 
between 5 and 10 when the incident occured, and we peaked at 16 later with 
no disruption at all.  None of these log messages were seen later either.

I've been administering servers with Icecast/Shoutcast servers running 
for 10 years and have never seen this at all.

> Is there syn cookies statistics saying how many SYNs vs. how many ACKs 
> arrive?

Where would I see this?

> If not, try to disable SYN cookies, and see whether the number of 
> connections in SYN_RECV state (nestat -a) is steady of increasing over the 
> minute or so after disabling cookies. If it is not increasing, then this is 
> not an attack.

Well I will have to wait until it happens again.  The fact that it only 
shows up in the log when I have been broadcasting is rather suspicious.

Geoff.